GDPR Compliance

I. Introduction

B. TECH & INNOVATIONS OÜ, registered under the laws of Estonia with registry code 16973747, and located at Harju maakond, Tallinn, Põhja-Tallinna linnaosa, Põhja pst 5-8, 10412, is committed to the rigorous protection of personal data. This GDPR Compliance Documentation outlines the policies, procedures, and responsibilities that BLOCX adheres to in compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679. Our aim is to ensure the highest standard of privacy and protection in handling personal data across all facets of our operations.

II. Scope and Application

This document applies universally to all departments, employees, and contracted parties of BLOCX involved in the collection, processing, and management of personal data under the B. TECH & INNOVATIONS OÜ umbrella. It encompasses all personal data processed by BLOCX, whether digital or paper-based, from initial collection to final disposal.

III. Data Protection Principles

A. Lawfulness, Fairness, and Transparency

Processing of personal data will be conducted lawfully, fairly, and transparently, ensuring respect for the rights and privacy of the individuals concerned. We commit to maintaining open communication with data subjects regarding their data processing.

B. Purpose Limitation

Data collected will be for specific, legitimate purposes only, and not used in any way incompatible with those purposes. We maintain documentation of all data processing objectives to guarantee compliance.

C. Data Minimization

We adhere to strict data minimization principles, ensuring that only data necessary for the intended purpose are processed. Regular audits help to enforce this principle.

D. Accuracy

The accuracy of personal data is imperative. Procedures are in place to ensure that inaccurate or outdated data are promptly corrected or deleted.

E. Storage Limitation

Data are retained only for as long as necessary to fulfill the purposes for which they were collected. This includes compliance with legal and contractual data retention requirements.

F. Integrity and Confidentiality

Ensuring data security is paramount. We employ advanced technical and organizational measures to safeguard personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage.

IV. Roles and Responsibilities

A. Data Controller

As a data controller, BLOCX determines the purposes and means of processing personal data. Responsibilities include establishing policies and procedures to ensure GDPR compliance and demonstrating compliance to regulatory bodies.

B. Data Processor

Data processors are third parties that process personal data on behalf of BLOCX. They are contractually bound to handle data in accordance with the provisions set out by BLOCX and GDPR regulations.

V. Lawfulness of Processing

We ensure that all data processing activities have a lawful basis, such as:

• Consent: Obtaining explicit consent from data subjects for the processing of their personal data.
• Contract: Processing necessary for the performance of a contract or to take steps to enter into a contract.
• Legal Obligation: Processing necessary for compliance with a legal obligation.
• Vital Interests: Processing necessary to protect the vital interests of a data subject or another person.
• Public Task: Processing necessary for the performance of a task carried out in the public interest.
• Legitimate Interests: Processing necessary for the legitimate interests pursued by BLOCX or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
  
  

VI. Rights of Data Subjects

Data subjects have comprehensive rights under the GDPR, including:

• Access: The right to obtain confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, access to the personal data.
• Rectification: The right to have inaccurate personal data rectified, or completed if it is incomplete.
• Erasure (‘Right to be Forgotten’): The right to have personal data erased without undue delay under certain circumstances.
• Restrict Processing: The right to request the restriction or suppression of their personal data.
• Data Portability: The right to receive personal data they have provided to a controller in a structured, commonly used and machine-readable format.
• Object: The right to object to the processing of their personal data in certain circumstances, including for direct marketing.

VII. Data Subject Access Requests

Detailed procedures are established to ensure timely and accurate responses to data subject access requests. Staff are trained to handle such requests efficiently, respecting the statutory deadline of one month.

VIII. Data Protection Measures

BLOCX employs a range of technical and organizational measures designed to ensure the ongoing integrity and confidentiality of personal data. These include:

• Data Encryption: Utilizing state-of-the-art encryption technologies to protect data during transmission and storage.
• Access Controls: Ensuring that access to personal data is strictly limited to authorized personnel based on their roles and responsibilities.
• Data Anonymization and Pseudonymization: Implementing techniques to reduce the identifiability of data subjects.
• Regular Security Assessments and Penetration Testing: Conducting regular security evaluations and tests to identify and mitigate potential vulnerabilities.

IX. Data Breach Notification Procedures

In the case of a personal data breach, BLOCX has established a swift response plan to assess the likely risk to individuals’ rights and freedoms and will notify the appropriate supervisory authority within 72 hours, unless the breach is unlikely to result in a risk to the individuals. Affected individuals are also notified without undue delay if the breach could result in a high risk to their rights and freedoms.

X. Data Protection Impact Assessment (DPIA)

Whenever processing is likely to result in high risk to data subjects, DPIAs are conducted to systematically analyze, identify, and minimize the data protection risks. DPIAs are integral to our IT projects and product development processes, ensuring that privacy considerations are embedded from the outset.

XI. Data Transfers

Regarding international data transfers, BLOCX adheres to strict procedures and legal mechanisms, such as the use of Standard Contractual Clauses, to ensure that the level of protection afforded to personal data is not undermined.

XII. Training and Awareness

We provide comprehensive training on GDPR compliance to all employees handling personal data. Regular updates and refreshers ensure that staff remain aware of their obligations and the latest data protection standards.

XIII. Record Keeping

Records of all data processing activities are maintained to demonstrate compliance with GDPR. These records include details of the data processing purposes, data sharing, and retention.

XIV. Review and Updates

Our GDPR Compliance Documentation is reviewed annually or whenever significant changes to data processing practices occur. This ensures that the documentation remains up-to-date and compliant with the latest regulatory and operational changes.

XV. Contact Information

For further information on our data protection policies or to contact our Data Protection Officer, please use the following email: contact@blocx.tech